Friday, February 6, 2015

Indicators - Word Document Macro Virus

There have been may write-ups about these macro viruses on other security blogs and traffic analysis sites. However, I wanted to add a few that I have observed so far.

Threat Name: The macro virus has been seen downloading multiple malware types and names.

Indicators: The email subject may contain the word 'Invoice' along with the invoice number. The file attachment will be a Word document, but will contain the extension of .docm which indicates a macro enabled document. The document may also contain the word 'Invoice' in its name.

Post Infection: The user will only get infected if they allow the macro to run. Microsoft Word will warn the user that enabling macros could damage your computer, which is very true in this case.

Domains Contacted: The following domains were contacted after the macro was allowed to run.

  • drevenak.cz - 217.31.49.20
  • vivercomrequinte.com.br - 174.36.74.119
  • jamesdev.co.uk
  • www.otmoorelectrical.co.uk - 84.22.163.83
  • api.ipify.org
  • *.tor2web.org
  • *.tor2web.ru
Files Downloaded: The following files were observed being downloaded after the macro was enabled.
  • bin.exe - https://www.virustotal.com/en/file/63224095c15ff1206e65d0b8e69a0f7ffc75025d6e5427b206503a5f3e9cf24b/analysis/
  • vv.exe - https://www.virustotal.com/en/file/b261f19aab21889d256266bdeb8c1e3e408d495ef4a5648c4f237696f120706b/analysis/1423149772/
Network Indicators:
  • URI: GET /js/bin.exe
  • URI: GET /wp-content/uploads/vv.exe
  • URI: POST /gate.php
Prevention: Block all .docm file on your email server, if possible. Trying to blacklist the domains may be a futile effort as they can easily change, same with trying to block the executable files.

Links: